mirror of
https://github.com/esphome/esphome.git
synced 2025-01-07 19:17:43 +01:00
Mitigate CVE-2020-12638 WiFi WPA Downgrade (#1207)
Co-authored-by: Lukas Bachschwell <lukas@lbsfilm.at>
This commit is contained in:
parent
0af73c7903
commit
08c8fa2c90
@ -391,6 +391,18 @@ void WiFiComponent::wifi_event_callback_(system_event_id_t event, system_event_i
|
|||||||
auto it = info.auth_change;
|
auto it = info.auth_change;
|
||||||
ESP_LOGV(TAG, "Event: Authmode Change old=%s new=%s", get_auth_mode_str(it.old_mode),
|
ESP_LOGV(TAG, "Event: Authmode Change old=%s new=%s", get_auth_mode_str(it.old_mode),
|
||||||
get_auth_mode_str(it.new_mode));
|
get_auth_mode_str(it.new_mode));
|
||||||
|
// Mitigate CVE-2020-12638
|
||||||
|
// https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors
|
||||||
|
if (it.old_mode != WIFI_AUTH_OPEN && it.new_mode == WIFI_AUTH_OPEN) {
|
||||||
|
ESP_LOGW(TAG, "Potential Authmode downgrade detected, disconnecting...");
|
||||||
|
// we can't call retry_connect() from this context, so disconnect immediately
|
||||||
|
// and notify main thread with error_from_callback_
|
||||||
|
err_t err = esp_wifi_disconnect();
|
||||||
|
if (err != ESP_OK) {
|
||||||
|
ESP_LOGW(TAG, "Disconnect failed: %s", esp_err_to_name(err));
|
||||||
|
}
|
||||||
|
this->error_from_callback_ = true;
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
case SYSTEM_EVENT_STA_GOT_IP: {
|
case SYSTEM_EVENT_STA_GOT_IP: {
|
||||||
|
@ -220,6 +220,7 @@ bool WiFiComponent::wifi_sta_connect_(WiFiAP ap) {
|
|||||||
if (ap.get_password().empty()) {
|
if (ap.get_password().empty()) {
|
||||||
conf.threshold.authmode = AUTH_OPEN;
|
conf.threshold.authmode = AUTH_OPEN;
|
||||||
} else {
|
} else {
|
||||||
|
// Only allow auth modes with at least WPA
|
||||||
conf.threshold.authmode = AUTH_WPA_PSK;
|
conf.threshold.authmode = AUTH_WPA_PSK;
|
||||||
}
|
}
|
||||||
conf.threshold.rssi = -127;
|
conf.threshold.rssi = -127;
|
||||||
@ -399,6 +400,15 @@ void WiFiComponent::wifi_event_callback(System_Event_t *event) {
|
|||||||
auto it = event->event_info.auth_change;
|
auto it = event->event_info.auth_change;
|
||||||
ESP_LOGV(TAG, "Event: Changed AuthMode old=%s new=%s", get_auth_mode_str(it.old_mode),
|
ESP_LOGV(TAG, "Event: Changed AuthMode old=%s new=%s", get_auth_mode_str(it.old_mode),
|
||||||
get_auth_mode_str(it.new_mode));
|
get_auth_mode_str(it.new_mode));
|
||||||
|
// Mitigate CVE-2020-12638
|
||||||
|
// https://lbsfilm.at/blog/wpa2-authenticationmode-downgrade-in-espressif-microprocessors
|
||||||
|
if (it.old_mode != AUTH_OPEN && it.new_mode == AUTH_OPEN) {
|
||||||
|
ESP_LOGW(TAG, "Potential Authmode downgrade detected, disconnecting...");
|
||||||
|
// we can't call retry_connect() from this context, so disconnect immediately
|
||||||
|
// and notify main thread with error_from_callback_
|
||||||
|
wifi_station_disconnect();
|
||||||
|
global_wifi_component->error_from_callback_ = true;
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
case EVENT_STAMODE_GOT_IP: {
|
case EVENT_STAMODE_GOT_IP: {
|
||||||
|
Loading…
Reference in New Issue
Block a user